Watchlists reference

Updated January 13, 2026 20:17

Overview

Watchlists enable you to create groups of users you want to monitor more closely for risky file activity. Watchlists also enable you to implement preventative controls, such as restricting browser uploads, removable media, and cloud sharing.

Watchlist membership can be based on a wide range of attributes, including departing employees, new hires, contractors, users with elevated access to critical systems or confidential data, department or directory group membership, or any other custom criteria you define.

This reference guide describes the capabilities of the User Activity > Watchlists screen in the Incydr console. For more information about creating and editing watchlists, see Manage watchlists.

Considerations

To access watchlists, you must have a role with permissions to view and modify watchlist settings. For more information, see Permissions for Incydr.

Watchlists

To access watchlists:

Sign in to the Incydr console.
Go to User Activity > Watchlists.

Watchlists

Item		Description
a	Trust settings	Indicates trust settings are applied to this page. Click to learn more and to view your trust settings. File activity that matches an item on your list of trusted activity is excluded from dashboards, watchlists, user profiles, and alerts, but is still searchable in Forensic Search.
b	Selected time frame	Shows the time frame in which the file activity occurred. Click to change the time frame.
c	Create watchlist	Click to create a new watchlist.
d	Departing watchlist	Shows a summary of users on the Departing watchlist.
e	Watchlist recommendations	Shows the options for recommended watchlists you have not created yet.
f	List name	The name of the watchlist and the risk score applied to events for users on the list.
g	Total users	The number of users on the watchlist.
h	Users with critical events	The number of users on the watchlist with critical events.
i	User assignments	Indicates the criteria for defining the users on this watchlist: Individual users: Shows the number of individual users included in this watchlist. Excluded users: Shows the number of individual users excluded from this watchlist. Group names: Shows the names of departments and directory groups on this watchlist. Directory groups and department memberships are managed by your external provisioning provider. You cannot edit them from within Incydr.
j	Alert rules	Lists the alert rules that include this watchlist as a rule setting. Including a watchlist in a rule setting means alerts are triggered when any user on the watchlist performs activity that matches the alert rule criteria.
k	Preventative controls	Indicates which preventative controls are applied to users on this watchlist.
l	Actions	Clicks Actions for options to: Edit preventative controls Edit risk score Delete watchlist
m	View details	Click View details to open the watchlist details (see below).

Watchlist details

Item	Description
a	Risk indicator	Identifies the risk indicator and risk score added to file events for all users on this watchlist. For more information about risk indicators and how they work, see Risk settings reference.
b	Trust settings	Indicates trust settings are applied to this page. Click to learn more and to view your trust settings. File activity that matches an item on your list of trusted activity is excluded from dashboards, watchlists, user profiles, and alerts, but is still searchable in Forensic Search.
c	Search	Enter a username to find file activity for a specific user on the this watchlist. This searches across your entire Incydr environment and includes deactivated users.
d	Selected time frame	Shows the time frame in which the file activity occurred. Click to change the time frame.
e	Edit alerts	Click to see and modify the alerts that include this watchlist.
f	Edit users	Click to add users or remove users from the watchlist. If no users have been added yet, the button is labeled Add users.
g	Action menu	Edit title and description: Click to change the watchlist name or its description. Delete watchlist: Any users and alerts assigned to the watchlist are removed from the watchlist. Users are removed from the watchlist, but their User profiles still exist in Incydr and they can be added to other watchlists. If the assigned alerts are not being used elsewhere in Incydr, the alert rule is also deleted from alerts. Any integrations for the watchlist will no longer function.
h	Watchlist settings	Shows the following: Risk score: The risk indicators associated with the watchlist and the indicator's risk score. Preventative controls: The preventative controls applied to users on this watchlist. Users: The count of departments, directory groups, and individual users included and excluded from the watchlist. Instructor lesson: The lesson automatically sent to users when they are added to this watchlist. If you add a lesson to a watchlist with existing users, the lesson is only sent when new users are added to the watchlist. (Lessons are not sent to users already on the list.) Instructor lessons are sent immediately when a user is added to a watchlist. Only configure a lesson if you want users to receive immediate notification upon being added. For sensitive watchlists where discretion is required, do not add a lesson. Situational and custom lessons (without placeholder variables) are supported. Responsive lessons and custom lessons with placeholder variables cannot be added to a watchlist because the placeholders in the message require the lesson to be associated with a specific file event. Each watchlist supports a single lesson. To send multiple lessons, configure multiple watchlists. Alert rules: The alerts that include this watchlist as a rule setting. Click Edit to change the settings.
i	Departing users Departing watchlist only	Shows a summary of users on the Departing watchlist, including the number of users departing today, as well as in the next 7 and 30 days.
j	User activity by severity	Shows the number of users with file events for each severity. Click a severity to filter the list of users to include only file events of that severity.
k	Filter	Click to filter the list by: Event severity Departure date or start date (Departing and New hire watchlists only) Risk indicators Username Department (requires provisioning) Watchlists
l	List of users	Shows all users on the watchlist, sorted by the highest number of critical-severity file events, then by high-severity file events. See below for detailed descriptions of each column.
m	Risk report Departing watchlist only	Click to view a risk report for the departing user, summarizing activity from the past 90 days. The report includes a summary of the alerts the user has triggered, the number of cases they were involved in, how many critical events they've caused, and how many events they have that correspond to the most common exfiltration scenarios for departing employees.
n	Actions	Click Actions for options to: View profile: Opens the User Profile where you can view their past file events. View events in search: Opens the user's file events in Forensic Search, where you can see greater detail about the file events.
o	View details	Click to see more details about the user's file activity, including open alerts, cases, and file events with risk indicators applied.

List of users

Item		Description
a	User	Shows the name of user that performed the file activity, user attributes, and watchlist memberships. Department and Title attributes only appear if your Incydr environment uses provisioning.
b	Event severity	Displays the count of file events for each severity level (Critical, High, Moderate, and Low). Severity is determined by the sum of the scores for all risk indicators associated with an event. Higher scores denote higher risk severity. To learn more about how risk scores are calculated, see Risk settings reference.
c	Destination indicators	Risk indicator based on where a file is moved or uploaded.
d	Source indicators	Risk indicator based on files that were acquired from a source likely to contain company data.
e	File indicators	Risk indicator based on the type of file, as determined by the file extension and file contents.
f	User indicators	Risk indicator based on user behavior automatically detected by Incydr and inclusion in high risk user groups, such as departing employees.
-	Departure date / Start date (Not pictured)	Lists dates for new and departing users: Departure date: Date the employee is leaving the company (Departing watchlist only) Start date: Date the employee started working at the company (New hire watchlist only)
g	Notes	Displays any notes added to the User Profile.
-	Date added (Not pictured)	Date the user was added to this watchlist.
h	Filter	Click to filter the list by: Event severity Departure date or start date (Departing and New hire watchlists only) Risk indicators Username Department (requires provisioning) Watchlists
i	Action menu	Click Actions for options to: View profile: Opens the User Profile where you can view their past file events. View events in search: Opens the user's file events in Forensic Search, where you can see greater detail about the file events.
j	View details	Click to see more details about the user's file activity, including open alerts, cases, and file events with risk indicators applied.

View details

From the list of users, click View event details to see more information about a user's file activity.

Item		Description
a	Selected time frame	Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the screen.
b	Actions	Click the Actions menu and do one of the following: Select Add to watchlists to add the user to one or more watchlists for closer monitoring. If the user is already on a watchlist, select Edit watchlists to change the user's current watchlist memberships. In Alerts, select Send email to email the user requesting more information about their activity. Customize the message as needed before you send it. Select Send user an Instructor lesson to send a lesson to the user. Select a custom action. Incydr Flows connect other systems or workflows to Incydr. These integrations can add contextual information about users and orchestrate response controls. Custom actions are only available if your organization has worked with Incydr Professional Services to set up Incydr Flows and if you have the correct role. Visibility of actions You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example: To add users to watchlists, you must have the Insider Risk Admin role, the Departing Employee Manager role (for the Departing watchlist), or the High Risk Manager role (for all other watchlists). For more information about adding users to watchlists see Manage watchlists. To send Instructor lessons to users, you must have a product plan that includes Instructor and one of these roles: Insider Risk Admin, Insider Risk Analyst, Insider Risk Read Only, or Insider Risk Respond. To access Incydr Flows you must have the Insider Risk Respond role. For more information about Flows, see Introduction to Incydr Flows.
c	View profile	Opens the User Profile for the employee.
d	User	Displays a summary of the employee's information, including: Name Department* Title* Watchlists the employee has been added to *Displays this information if your environment uses provisioning. For more information, see Provision user attributes to Incydr.
e	Open alerts	Shows the number of open alerts the user has triggered during the selected time frame. Click to see the user's alerts.
f	Open cases	Shows the number of cases with the Open status for which the user has been added as the subject of the case. Click to see the user's cases.
g	Notes	Do one of the following: Click Add to add more details to the user's profile. Click Edit to modify existing notes. Notes are limited to 1000 characters.
h	Events with risk indicator	Displays counts of each file event severity with associated risk indicators. For more information about risk indicators, see Risk settings reference.
i	Investigate in Forensic Search	Click to see more details about the file events in Forensic Search. Learn more about using Forensic Search.
j	Filter	Click to show filters that allow you to see events based on risk indicator or watchlist. To remove a selected filter, click it again.
k	By PRISM score	Click to show file events by PRISM score in descending order.
l	By date observed	Click to show file events by the date the event occurred, with the most recent events on top.
m	View details	Click to view details about the file event. For detailed descriptions of each field, see File event metadata.
n	Filename/Details	Shows filename, risk indicators, PRISM score, and other details about the file event. If the filename is shown as a blue hyperlink, you can download the file from this location. If the filename is not a blue hyperlink, you may be able to download the file in Forensic Search. To view all file events with more detail, click Investigate in Forensic Search .

Watchlists reference

Overview

Considerations

Watchlists

Watchlist details

List of users

View details

Related topics

Comments